Get the latest security news in your inbox.

After the http://labs.alienvault.com/labs/index.php/2012/new-java-0day-exploited-in-the-wild/ [no longer available] last zero day exploit on Java we reported some weeks ago it appears that a new 0day has been found in Internet Explorer by the same authors that created the Java one.

Yesterday, Eric Romang reported the findings of a new exploit code on the same server that the Java 0day was found some weeks ago. The new vulnerability appears to affect Internet Explorer 7 and 8 and seems to be exploitable at least on Windows XP.

The exploit code found in the server works as follow:

- The file exploit.html creates the initial vector to exploit the vulnerability and loads the flash file Moh2010.swf.

- Moh2010.swf is a flash file encrypted using DoSWF http://www.doswf.com [no longer available]. We’ve seen the usage of DoSWF in the exploit code of other targeted attacks such as:

The Flash file is in charge of doing the heap spray. Then it loads Protect.html

Due to the usage of DoSWF, the malicious code is encrypted. The easiest way to obain the decrypted content is executing the file within Internet Explorer and attaching to the process once the content is decrypted. Then you can obtain the raw content when we can find the following Bytearray declared:

If we obtain the raw content of the hexadecimal string and then we apply a XOR “E2” operation we can obtain the following bytes that contains the URL of the malicious payload.

- Protect.html checks if the system is running Internet Explorer version 7 or 8 under Windows XP. If the victim satisfies those conditions, the vulnerability is triggered and the malicious payload is executed.

The payload dropped is Poison Ivy as in the http://labs.alienvault.com/labs/index.php/2012/new-java-0day-exploited-in-the-wild/previous Java 0day [no longer available].

About the Author:Jaime BlascoJaime Blasco is a renowned Security Researcher with broad experience in network security, malware analysis and incident response. At AlienVault, Jaime leads the Lab Intelligence and Research team that leads the charge of researching and integrating threat intelligence into detection mechanisms. Prior to working at AlienVault he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. He is based in San Francisco. Jaime's work in emerging threats and targeted attacks is frequently cited in international publications such as New York Times, BBC, Washington Post and Al Jazeera.
Read more posts from Jaime Blasco ›